[libpdfbox-java] 01/01: Fixed CVE-2016-2175: XML External Entity vulnerability

Wed Jun 1 10:02:58 UTC 2016

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository libpdfbox-java.

commit 1e97f7949fc017d753b01240e9b851ce0a1b3a93
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Wed Jun 1 11:16:56 2016 +0200

    Fixed CVE-2016-2175: XML External Entity vulnerability
---
 debian/changelog                   |  6 +++
 debian/patches/CVE-2016-2175.patch | 78 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 85 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 5f05225..2cfda18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libpdfbox-java (1:1.8.7+dfsg-1+deb8u1) jessie-security; urgency=high
+
+  * Fixed CVE-2016-2175: XML External Entity vulnerability
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Wed, 01 Jun 2016 11:15:54 +0200
+
 libpdfbox-java (1:1.8.7+dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/CVE-2016-2175.patch b/debian/patches/CVE-2016-2175.patch
new file mode 100644
index 0000000..128428b
--- /dev/null
+++ b/debian/patches/CVE-2016-2175.patch
@@ -0,0 +1,78 @@
+Description: Fixes CVE-2016-2175: XML External Entity vulnerability
+Origin: backport, https://svn.apache.org/r1739564
+--- a/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
++++ b/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
+@@ -71,6 +71,12 @@
+         try
+         {
+             DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
++            builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++            builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++            builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++            builderFactory.setXIncludeAware(false);
++            builderFactory.setExpandEntityReferences(false);
+             DocumentBuilder builder = builderFactory.newDocumentBuilder();
+             return builder.parse( is );
+         }
+--- a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java
++++ b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java
+@@ -148,6 +148,12 @@
+     public Document getDocument() throws ParserConfigurationException, SAXException, IOException 
+     {
+         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++        factory.setXIncludeAware(false);
++        factory.setExpandEntityReferences(false);
+         factory.setNamespaceAware(true);
+         DocumentBuilder builder = factory.newDocumentBuilder();
+         Document xfaDocument = builder.parse(new ByteArrayInputStream(this.getBytes())); 
+--- a/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
++++ b/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
+@@ -56,6 +56,12 @@
+         try
+         {
+             DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
++            builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++            builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++            builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++            builderFactory.setXIncludeAware(false);
++            builderFactory.setExpandEntityReferences(false);
+             DocumentBuilder builder = builderFactory.newDocumentBuilder();
+             return builder.parse( is );
+         }
+--- a/xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java
++++ b/xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java
+@@ -67,7 +67,6 @@
+ 
+ public class DomXmpParser
+ {
+-
+     private DocumentBuilder dBuilder;
+ 
+     private NamespaceFinder nsFinder;
+@@ -79,6 +78,12 @@
+         try
+         {
+             DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
++            dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++            dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++            dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++            dbFactory.setXIncludeAware(false);
++            dbFactory.setExpandEntityReferences(false);
+             dbFactory.setNamespaceAware(true);
+             dBuilder = dbFactory.newDocumentBuilder();
+             nsFinder = new NamespaceFinder();
+@@ -87,7 +92,6 @@
+         {
+             throw new XmpParsingException(ErrorType.Configuration, "Failed to initilalize", e);
+         }
+-
+     }
+ 
+     public boolean isStrictParsing()
diff --git a/debian/patches/series b/debian/patches/series
index 46e094f..ea27028 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 build.xml.patch
 build-subproject-docs.patch
 bc-1.47.patch
+CVE-2016-2175.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libpdfbox-java.git

